Algebraic manipulation detection codes from algebraic curves

ABSTRACT

A method for protecting encoded data from algebraic manipulation includes receiving a data word sεK d  to be protected, randomly selecting two integers a ε{0, . . . , q−1} and b ε{0, . . . , √q−1}, finding a point (α, β) on a Hermitian curve over a field F q  that corresponds to the randomly selected integers (a, b) from a mapping (a, b) (α, β)=(u a , u a   √q+1 z+v b ), where 
               u   a     :=     {           0             if   ⁢           ⁢   a     =   0     ,               γ   1     a   -   1           otherwise         ,           ⁢       V   b     :=     {           0             if   ⁢           ⁢   b     =   0     ,               γ   2     b   -   1           otherwise         ,                   
and z is an element of the field F q  of unit trace, and where γ 1  is a fixed primitive element of the field F q  and γ 2  is a primitive element of a field F √q   ⊂ F q , and calculating a sum f s (α, β)=α i     d+1   β j     d+1   +Σ k=1   d α i     k   βk j     k    for a set of d+1 integers pairs I ={(i k ,j k )} k=1   d+1 , where the encoded word is a triple (s, (α, β),f s (α, β)).

TECHNICAL FIELD

This application is directed to error detection and protection from side channel attacks with block cipher cryptographic algorithms.

DISCUSSION OF THE RELATED ART

A block cipher is a deterministic cryptographic algorithm that operates on fixed-length groups of bits, called blocks, with an unvarying transformation that is specified by a symmetric key. Block ciphers typically carry out encryption in multiple rounds, each of which uses a different subkey derived from the original key. A block cipher uses two paired algorithms, one for encryption and an inverse algorithm for decryption. Both algorithms accept two inputs: an input block of size n bits and a key of size k bits; and both yield an n-bit output block. For example, a block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext. The exact transformation is controlled using a second input —the secret key. Decryption is similar: the decryption algorithm takes, in this example, a 128-bit block of ciphertext together with the secret key, and yields the original 128-bit block of plain text. Each key selects one permutation from the possible set of all permutations over the set of input blocks. Today, there is a palette of attack techniques against which a block cipher must be secure, in addition to being robust against brute force attacks. A multitude of modes of operation have been designed to allow block ciphers to be repeatedly and securely used, commonly to achieve the security goals of confidentiality and authenticity.

One example of a block cipher is the Advanced Encryption Standard (AES), a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001 which uses blocks of 2⁷=128 bits. Other block ciphers include the Data Encryption Standard (DES), Triple DES, the International Data Encryption Algorithm (IDEA), RC5, and Blowfish. The AES has been adopted by the U.S. government and is now used worldwide. All known direct attacks on the AES are computationally infeasible. However, there are several known side-channel attacks on certain implementations of AES, which do not attack the underlying cipher, but rather attack implementations of the cipher on systems which inadvertently leak data. Power consumption, electro-magnetic radiation, execution time, and behavior in the presence of faults can all be used to drastically decrease the complexity of cryptanalysis. Mobile cryptographic devices such as smartcards and mobile computers are especially vulnerable since the physical hardware implementing the algorithms, and hence the side-channel information, is easily accessible. Side channel attacks can use information obtained from an incorrectly functioning implementation of an algorithm to derive the secret information. Incorrect operation can result from faults within a circuit which may be due to natural effects or may be maliciously induced.

The concept of non-probabilistic error detection codes for protecting data against adversarial error injection was introduced by Kulikowski, et al. (K. J. Kulikowski, M. G. Karpovsky, and A. Tubing, “Robust Codes and Robust, Fault Tolerant Architectures of the Advanced Encryption Standard”, J. of System Architecture, Vol. 53, pp. 138-149, 2007, the contents of which are herein incorporated by reference in their entirety), and that of probabilistic algebraic manipulation detection (AMD) codes was introduced by Cramer, et al. (R. Cramer, Y. Dodis, S. Fehr, C. Padro, and D. Wichs, “Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors”, Cryptography ePrint Archive, Report 2008/030, 2008, the contents of which are herein incorporated by reference in their entirety). An AMD code can probabilistically encode a plaintext source string s from a set S as an element of a group G, with a unique decodability. In a case of an adversary intentionally flipping bits of data for revealing a secret of the AES, a technique known as intentional fault injection, AMD codes can detect a worst case bit-flipping error with high probability. Redundancy can be added to guarantee the detection of the worst-case error. Kulikowski propose the use of weak AMD codes, in which security holds only for a random sεS, rather than an arbitrary string, and which are derived from perfect nonlinear functions. However, Kulikowski assumes that the injected error is added (modulo 2) to the valuable data, and that the error checking is performed on x+e, where x is the original data, while the injected error e does not depend on the choice of x. This checking could require calculations on very large finite fields. Cramer focuses on the use of strong AMD codes from the evaluation of polynomials. However, Cramer's methods also require working in very large finite fields if a large number of bits need to be protected, even if the miss probability is modest. For example, to protect 2¹⁶ bits with a miss probability of 1%, calculations are performed in F₂ ₁₉ .

SUMMARY

Exemplary embodiments of the disclosure as described herein generally include systems and methods for the use of algebraic curves to reduce complexity and the required field size of AMD error detection codes with a block cipher algorithms. Embodiments of the disclosure can efficiently provide protection to very large chunks of data, e.g. chunks larger than about 2¹⁵ bits, which is 256 AES blocks, before the data is encrypted, where the allowed miss probability is of order 10⁻² to 10⁻³. Embodiments of the disclosure can perform protection simultaneously on several block cipher blocks.

According to an aspect of the invention, there is provided a method for protecting data from algebraic manipulation, including receiving a data word s εF_(q) ^(d) to be protected, wherein q is a prime power and F_(q) ^(d) is a vector space over the finite field F_(q) including vectors (x₁, x₂, . . . , x_(d)) with x_(i) εF_(q) for all iε{1, . . . , d}, fixing a basis {1, b₁, . . . , b_(d)} for a Riemann-Roch space L(m_(d)Q) as an F_(q)-vector space, wherein Q is a distinct place of degree 1 of an algebraic function field F/F_(q) of one variable with full constant field F_(q) and with genus g and m_(d) is a pole number of Q, uniformly drawing an index i from a set I:={1, . . . , n}, and encoding s as (s, i, f_(s)(P_(i)))εF_(q) ^(d)×I_(n)×F_(q), wherein f_(s)(P_(i)) is defined as f_(s):=x^([f(d)])+Σ_(j=1) ^(d)s_(j)b_(j), wherein r(d):=min{j|∃×εL(m_(j)Q):∀σεΦ,σ≠id: σ(x)−xεL(m_(j)Q)|L(m_(d)Q)}, Φ is a subgroup of Aut_(D,Q)(F/F_(q)):={σεAut(F/F_(q))|σ(Q)=Q and σ(D)=D}, Aut(F/F_(q)) is a group of automorphisms of F over F_(q), D:=P₁+ . . . +P_(n) wherein Q, P₁, . . . , P_(n) are pairwise distinct places of F/F_(q) of degree 1, and x^([r(d)]) is an element of L(m_(r(d))Q) for which σ(x^([r(d)]))−x^([r(d)])εL(m_(e)Q)\L(m_(d)Q) for all σεΦ, σ≠id, and for a minimum possible e≧d+1, wherein a received triple r:=(

ĩ, {tilde over (v)})εF_(q) ^(d)×I_(n)×F_(q) is valid iff {tilde over (v)}=f_({tilde over (s)})(P_(ĩ)).

According to a further aspect of the invention, the method includes protecting the index i with a weak AMD code, wherein an error is detected in (

, ĩ, {tilde over (v)})) by checking the index ĩ, and if the ĩ-check passes, checking whether {tilde over (v)}=f_({tilde over (s)})(P_(ĩ)).

According to a further aspect of the invention, the weak AMD code is constructed from a perfect nonlinear function.

According to a further aspect of the invention, wherein q is a square and the number of places of degree 1 is q^(r) for some integer r, the perfect non-linear function

$\left. {F_{q}^{r} \cong F_{\sqrt{q}}^{2\; r}}\rightarrow F_{\sqrt{q}} \right.$ is constructed as (x₁, . . . , x_(2r))

x₁x₂+x₃x₄+ . . . +x_(2r−1)x_(2r).

According to a further aspect of the invention, the method includes encoding the data word s using a block cipher.

According to a further aspect of the invention, the block cipher is selected from a group comprising AES, DES, Triple DES, IDEA, RC5, and Blowfish.

According to an aspect of the disclosure, there is provided a computer processor configured to execute a program of instructions to perform method steps for protecting encoded data from algebraic manipulation, the method including receiving a data word see to be protected, where K is a finite field of q elements for a square prime power q and a predetermined d, randomly selecting two integers a ε{0, . . . , q−1} and bε{0, . . . ,√q−1}, finding a point (α, β) on a Hermitian curve over a field F_(q) that corresponds to the randomly selected integers (a, b) from a mapping (a, b)

(α, β)=( u_(a), u_(a) ^(√q+1)z+v_(b)), where

$u_{a}:=\left\{ {\begin{matrix} 0 & {{{{if}\mspace{14mu} a} = 0},} \\ \gamma_{1}^{a - 1} & {otherwise} \end{matrix},\mspace{14mu}{V_{b}:=\left\{ {\begin{matrix} 0 & {{{{if}\mspace{14mu} b} = 0},} \\ \gamma_{2}^{b - 1} & {otherwise} \end{matrix},} \right.}} \right.$ and z is a pre-selected element of the field F_(q) of unit trace, and where γ₁ is a pre-selected fixed primitive element of the field F_(q) and γ₂ is a pre-determined fixed element of the field F_(q) which is a primitive element of a field F_(√q) ⊂F_(q), and calculating a sum f_(s)(α, β)=α^(i) ^(d+1) β^(j) ^(d+1) +Σ_(k=1) ^(d)s_(k)α^(i) ^(k) β^(j) ^(k) for an appropriate set of d+1 integers pairs I={(i_(k),j_(k))}_(k=1) ^(d+1), where the encoded word is a triple (s, (α, β), f_(s)(α, β)).

According to a further aspect of the disclosure, the Hermitian curve

over F_(q), is defined by point pairs (α, β) where

={(α, β)εF_(q)×F_(q)|β^(√q)+β=α^(√q+1)}, where √q=2^(m/2) is an integer for an even m.

According to a further aspect of the disclosure, the method includes calculating q and the dimension d based on a number uεN* of information bits to be protected and a maximum allowed miss probability, 2^(−κ), for κεN, where q and d satisfy log(q^(d))≧u.

According to a further aspect of the disclosure, calculating q and the dimension d includes initializing m=2κ, and if

${\left\lceil \frac{u}{m} \right\rceil \leq {2^{{3{m/2}} - \kappa} - 2^{m - 1} - 2^{{m/2} - 1}}},$ setting

${d = \left\lceil \frac{u}{m} \right\rceil},$ where q=2^(m).

According to a further aspect of the disclosure, if

${\left\lceil \frac{u}{m} \right\rceil > {2^{{3{m/2}} - \kappa} - 2^{m - 1} - 2^{{m/2} - 1}}},$ the method includes incrementing m by 2 and repeating the step of setting

${d = \left\lceil \frac{u}{m} \right\rceil},$ if

$\left\lceil \frac{u}{m} \right\rceil \leq {2^{{3{m/2}} - \kappa} - 2^{m - 1} - {2^{{m/2} - 1}.}}$

According to a further aspect of the disclosure, γ₂=γ₁ ^(√q+1), and z is determined by scanning γ₁, γ₁ ², . . . , until an element of unit trace is found, where an element of unit trace z satisfies z^(√q)+z=1.

According to a further aspect of the disclosure, the method includes finding a (d+1)-th pole number, m_(d), of a place Q of F/F_(q) of degree 1, where a set of pole numbers of place Q is {i√q+j(√q+1)|i≧0, 0≦j≦√q−1}, where exponents I₁={(i_(k),j_(k))}_(k=1) ^(d)={(i,j)εN×N|i+j<i*+j* and j≦√{square root over (q)}−1}∪{(i,j)εN×N|i+j=i*+j* and j≦j*}

are a pre-calculated set of all pairs (i, j)εN×N that correspond to pole numbers m₁, m₂, . . . , m_(d), i*εN, j*ε{0, . . . , √{square root over (q)}−1} are unique integers such that m_(d)=i*√{square root over (q)}+j*(√{square root over (q)}+1) and exponents (i_(d+1), j_(d+1)) are pre-calculated from

$\left( {i_{d + 1},j_{d + 1}} \right):=\left\{ {\begin{matrix} \left( {{i^{*} + 2},j^{*}} \right) & {{{if}\mspace{14mu} 2} \nmid j^{*}} \\ \left( {{i^{*} + 1},{j^{*} + 1}} \right) & {{{if}\mspace{14mu} 2} \mid j^{*}} \end{matrix}.} \right.$

According to a further aspect of the disclosure, if d≧g=(√q−1)√q/2, then the (d+1)-th pole number m_(d) is m_(d)=2g+(d−g)=d+g, and if dε{0, . . . , g−1}, the method includes finding a largest positive integer l such that

${\frac{l \times \left( {l + 1} \right)}{2} \leq {d + 1}},$ where if

${\frac{l \times \left( {l + 1} \right)}{2} = {d + 1}},$ then m_(d)=i*√q+j*(√q+1) for i*=0 and j*=l−1, otherwise m_(d)=i*√q+j*(√q+1) for j*=d−l(l+1)/2ε{0, . . . , l≦√q−2} and i*l−j*≧0.

According to a further aspect of the disclosure, the method includes encoding the data word s using a block cipher.

According to a further aspect of the disclosure, the block cipher may be selected from a group comprising AES, DES, Triple DES, IDEA, RC5, and Blowfish.

According to a further aspect of the disclosure, the computer processor is a hardware implementation that encodes the program of instructions to perform the method steps for protecting encoded data from algebraic manipulation.

According to a further aspect of the disclosure, the computer processor may be one of an application specific integrated circuit, or a field programmable gate array.

According to another aspect of the disclosure, there is provided a computer processor configured to encode and execute a program of instructions to perform the method steps for protecting encoded data from algebraic manipulations, the method including receiving a triple (s, (α, β), γ) that is an element of F_(q) ^(d)×F_(q) ²×F_(q), where s is an encoded data word, and q and d are predetermined constants, determining whether β^(√q)+β=α^(√q+1), and if β^(√q)+β=α^(√q+1), determining whether a sum f_(s)(α, β)=γ, where f_(s)(α, β)=α^(i) ^(d+1) βd^(j) ⁺¹ +Σ_(k=1) ^(d)s_(k)α^(i) ^(k) β^(j) ^(k) for an appropriate set of d+1 integers pairs I={(i_(k),j_(k))}_(k=1) ^(d+1), where if either β^(√q)+β≠α^(√q+1) or f_(s)(α, β)≠γ, declaring an error, otherwise declaring that no error was injected into s.

According to a further aspect of the disclosure, the method includes calculating q and the dimension d based on a number uεN* of information bits being protected and a maximum allowed miss probability, 2^(−κ), for κεN, where q and d satisfy log(q^(d))≧u.

According to a further aspect of the disclosure, calculating q and the dimension d includes initializing m=2κ, and if

${\left\lceil \frac{u}{m} \right\rceil \leq {2^{\frac{3m}{2} - \kappa} - 2^{m - 1} - 2^{\frac{m}{2} - 1}}},$ setting

${d = \left\lceil \frac{u}{m} \right\rceil},$ where q=2^(m) for even m.

According to a further aspect of the disclosure, if

${\left\lceil \frac{u}{m} \right\rceil > {2^{{3{m/2}} - \kappa} - 2^{m - 1} - 2^{{m/2} - 1}}},$ the method further comprises incrementing m by 2 and repeating the step of setting

${d = \left\lceil \frac{u}{m} \right\rceil},$ if

$\left\lceil \frac{u}{m} \right\rceil \leq {2^{{3{m/2}} - \kappa} - 2^{m - 1} - {2^{{m/2} - 1}.}}$

According to a further aspect of the disclosure, the method includes finding a (d+1)-th pole number, m_(d), of a place Q of F/F_(q) of degree 1, where a set of pole numbers of place Q is {i√q+j(√q+1)|i≧0, 0≦j≦√q−1}, where exponents I₁={(i_(k),j_(k))}_(k=1) ^(d){(i,j)εN×N|i+j<i*+j* and j≦√{square root over (q)}−1}∪{(i,j)εN×N|i+j=i*+j* and j≦j*}

are a pre-calculated set of all pairs (i, j)εN×N corresponding to pole numbers m₁, m₂, . . . , m_(d), and exponents (i_(d+1), j_(d+1)) are pre-calculated from

$\left( {i_{d + 1},j_{d + 1}} \right):=\left\{ {\begin{matrix} \left( {{i^{*} + 2},j^{*}} \right) & {{{if}\mspace{14mu} 2} \nmid j^{*}} \\ \left( {{i^{*} + 1},{j^{*} + 1}} \right) & {{{if}\mspace{14mu} 2} \mid j^{*}} \end{matrix}.} \right.$

According to a further aspect of the disclosure, if d≧g=(√q−1)√q/2, then the (d+1)-th pole number m_(d) is m_(d)=2g+(d−g)=d+g, and if dε{0, . . . , g−1}, the method further comprises finding a largest positive integer l such that

${\frac{l \times \left( {l + 1} \right)}{2} \leq {d + 1}},$ where if

${\frac{l \times \left( {l + 1} \right)}{2} = {d + 1}},$ then m_(d)=i*√q+j*(√q+1) for i*=0 and j*=l−1, otherwise m_(d)=i*√q+j*(√q+1) for j*=d−l(l+1)/2ε{0, . . . , l≦√q−2} and i*=l−j*≧0.

According to a further aspect of the disclosure, the data word s was encoded using a block cipher.

According to a further aspect of the disclosure, the block cipher may be selected from a group comprising AES, DES, Triple DES, IDEA, RC5, and Blowfish.

According to a further aspect of the disclosure, the computer processor is a hardware implementation that encodes the program of instructions to perform the method steps for protecting encoded data from algebraic manipulation.

According to a further aspect of the disclosure, the computer processor may be one of an application specific integrated circuit, or a field programmable gate array.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 depicts an overall protected word, including data s, the index of point P, and the parity bits, in addition to index protection bits, according to an embodiment of the disclosure.

FIG. 2 depicts data corrupted by flipping some of the bits, by replacing the original data s with data s′, and by flipping some of the redundancy bits, according to an embodiment of the disclosure.

FIG. 3 depicts Δ₁ for the part of the additive error that influences the “index protection” field, Δ₂ for the part that influences the “index of point” field, and Δ₃ for the part that influences the “parity bits” field, according to an embodiment of the disclosure.

FIGS. 4A-B are flowcharts of methods for encoding and decoding data using pre-AMD codes, according to an embodiment of the invention.

FIG. 5 is a table of comparisons of the AMD codes of Cramer, et al., and of AMD Hermitian codes according to an embodiment of the disclosure.

FIGS. 6A-B are flowcharts of methods for encoding and decoding data using AMD Hermitian codes, according to an embodiment of the disclosure.

FIG. 7 is a block diagram of a system for the use of algebraic curves to reduce complexity and the required field size of AMD error detection codes with block cipher cryptographic algorithms, according to an embodiment of the disclosure.

DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS

Exemplary embodiments of the invention as described herein generally provide systems and methods for the use of algebraic curves to reduce complexity and the required field size of AMD error detection codes with a block cipher cryptographic algorithm. While embodiments are susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will herein be described in detail. It should be understood, however, that there is no intent to limit the invention to the particular forms disclosed, but on the contrary, the invention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.

Algebraic manipulations may be defined as follows: suppose there is some data s to be protected with some redundancy r appended to s for detecting manipulations. The adversary is allowed to: (1) replace s by some s′ of his/her will, possibly depending on s; and (2) Add some error A to r, where A may depend on s. Hence, the original data (s, r) is modified to be (s′,r+Δ). Note that it is assumed that r sits in some abelian group and the “+” in “r+Δ” is the addition of this group. Typically, the abelian group is just the underlying abelian group of F₂ ^(n).

According to an embodiment of the disclosure, to protect data sεK^(d), where K is a finite field, one can select a random point P of an algebraic curve, where the point is represented by a tuple of elements from K, and calculate the parity bits parity bits(s,P)=f _(d+1)(P)+Σ_(k=1) ^(d) s _(k) ·f _(k)(P), where the f_(i), 1≦i≦d+1, are appropriately chosen rational, typically polynomial, functions that map curve points to elements of K. The overall protected word includes the data s, the index of point P, and the parity bits, in addition to index protection bits, as shown in FIG. 1. The index of point P, the index protection bits, and the parity bits are known as redundancy bits. The index protection bits include parity bits on the index itself, and may use weak AMD codes, or codes derived from Hermitian curves. Now, an adversary may corrupt the data by replacing the original data s with data s′, and may flip any portion of the redundancy bits, as shown in FIG. 2. For convenience, as shown in FIG. 3, one may write Δ₁ for the part of the additive error that influences the “index protection” field, Δ₂ for the part that influences the “index of point” field, and Δ₃ for the part that influences the “parity bits” field.

Upon receipt of a corrupted word, a receiver may first check for the integrity of the index using the index protection field. This check may amount to checking a standard weak AMD code, or could amount to checking if a pair is a point on a Hermitian curve, as will be described in detail below. If this check fails, an error may be declared; otherwise a second check may be performed. In the second check, the parity bits are compared: parity bits(s′,P+Δ ₂)==(parity bits+Δ₃)? If these bits are not equal, an error may be declared, otherwise it may be determined that no error was injected. Construction of AMP codes

Let q be a prime power and let F/F_(q) be an algebraic function field of one variable with frill constant field F_(q) and with genus g. Let Q, P₁, . . . , P_(n) be pairwise distinct places of F/F_(q) of degree 1, and write D:=P₁+ . . . +Write Aut _(D,Q) :={σεAut(F/F _(q))|σ(Q)=Q and σ(D)=D} where Aut(F/F_(q)) is the group of automorphisms of F over F_(q); the definition of Aut_(D,Q) says that the action of this group on the set of places of F/F_(q) fixes Q and permutes P₁, . . . , P_(n).

For a place R of F/F_(q), one may write v_(R) for the discrete valuation associated with R. For a divisor G of F/F_(q), let L(G) be the Riemann-Roch space defined by L(G):={fεF*|(f)+G≧0}∪{0}, where (f) represents the principal divisor of f. L(G) is a vector space over F_(q), and by the Riemann-Roch theorem one has dim(L(G))≧deg(G)−g+1, with equality if deg(G)≧2g−1, where deg(G) is the degree of G.

Let m₀:=0<m₁<m₂< . . . be the pole numbers of Q. So, for all i, L((m_(i)−1)Q)/⊂L(m_(i)Q). According to the Riemann-Roch theorem, starting from 2g, all integers are pole numbers, and there are exactly g gaps (integers that are not pole numbers) in {1, . . . , 2g−1}. In addition, for all xεL(m_(i)Q)\L(m_(i−1)Q) and all σεAut_(D,Q), σ(x) is also in L(m_(i)Q)\L(m_(i−1)Q).

Let Φ⊂Aut_(D,Q)(F/F_(q)) be a subgroup. For d>1, the dimension of the information set, let r(d):=min{j|∃εL(m _(j) Q):∀σεΦ,σ≠id:σ(x)−xεL(m _(j) Q)\L(m _(d) Q)}   (1) and let x^([r(d)]) be some element in L(m_(r(d))Q) for which σ(x^([r(d)]))−x^([r(d)])εL(m_(e)Q)\L(m_(d)Q) for all σεΦ, σ≠id, and for the minimum possible e≧d+1, which will be known as e(d). Note that if Φ={id}, then there is no restriction on x^([r(d)]), and therefore x^([r(d)]) may be chosen freely, e.g., one may choose x^([r(d)])=0.

It is implicit in the definition of r(d) that the set from which the minimum element in the right-hand side of EQ. (1) is taken is non-empty. For the Hermitian case, conditions for this to hold will be found in the following section. For the general case, where an arbitrary function field is used, note again that if Φ={id}, then the condition in EQ. (1) is always met, and hence one may always take x^([r(d)])=0.

Before constructing the target AMD codes, one begins by constructing weaker codes, which may be referred to as pre-AMD codes. A flowchart of a method of encoding data using pre-AMD codes is presented in FIG. 4A. Referring now to the figure, at step 41, let sεF_(q) ^(d) be the information to be protected. Fix some basis {1, b₁, . . . , b_(d)} for L(m_(d)Q) as an F_(q)-vector space at step 42, and define f _(s) :=x ^([r(d)])+Σ_(j=1) ^(d) s _(j) b _(j).

A code according to an embodiment of the disclosure may be defined as follows. An index i is drawn uniformly from the set I_(n):={1, . . . , n} at step 43, and the data word s is encoded as (s, i, f_(s)(P_(i)))εF_(q) ^(d)×I_(n)×F_(q) at step 44, where f_(s) is defined as above. It may be assumed in some embodiments that an adversary knows s, but not i and f_(s)(P_(i)). The allowed manipulations for this pre-AMD code are: (1) replace s by some s′εF_(q) ^(d), (2) add a constant in F_(q) to f_(s)(P_(i)), and (3) apply to i a constant permutation πεS_(n) that corresponds to the action of some σεΦ on {P₁, . . . , P_(n)}. According to an embodiment of the disclosure, this may be known as a defined code C_(d). A code according to an embodiment of the disclosure can protect against manipulations of type (1) and (2) for any choice of x^([r(d)]). However, if an element x^([r(d)]) satisfies the above conditions imposed by Φ, then a code according to an embodiment of the disclosure can protect against the manipulations on the index part described by manipulations of type (3). So, a code according to an embodiment of the disclosure encodes log(q^(d)) bits of information to obtain an encoded word of length log(q^(d))+log(n)+log(q)=log(nq^(d+1)). Note here that all logs are to the base of 2, thus a base subscript will be omitted hereinbelow. A decoder according to an embodiment of the disclosure works as follows, with reference to the flowchart of FIG. 4B: receive a triple r:=(

, ĩ, {tilde over (v)})εF_(q) ^(d)×I_(n)×I_(n)×F_(q) at step 46; check if {tilde over (v)}=f_({tilde over (s)})(P_(ĩ)) at step 47; declare r valid if the check passes, at step 48; otherwise, at step 49, declare r to be invalid. In other words, a received triple r:=(

{tilde over (l)},{tilde over (v)})εF_(q) ^(d)×I_(n)×F_(q) is valid iff {tilde over (v)}=f_({tilde over (s)})(P_(ĩ)).

Theorem 1. For the set of manipulations described above, the miss probability of the pre-AMD code C_(d) is not above m_(e)/n≦(e+g)/n, where e=e(d).

Proof. For simplicity and without loss of generality, it may be assumed that after drawing i, the encoding is of the form s

(s, P_(i), f_(s)(P_(i))). Note that specifying i in the second coordinate is like specifying P_(i). For an arbitrary fixed s, it is desired to find an upper bound on the probability (over i) that an adversary succeeds, that is, that for s′≠sεF_(q) ^(d), some fixed ΔεF_(q) and some fixed σεΦ, there is f_(s′)(σ(P_(i)))=f_(s)(P_(i))+Δ. In detail, one would like to bound the number of possible choices of i for which x ^([r(d)])(σP _(i))−x ^([r(d)])(P _(i))+Σ_(j=1) ^(d) s′ _(j) b _(j)(σP _(i))−Σ_(j=1) ^(d) s _(j) b _(j)(P _(i))−Δ=0.  (2) If σ=id, then EQ. (2) becomes (Σ_(j=1) ^(d)(s′ _(j) −s _(j))b _(j)−Δ)(P _(i))=0. Because Σ_(j=1) ^(d)(s′_(j)−s_(j))b_(j)−Δ is a non-zero element of L(m_(d)Q), as s≠s′, it has at most m_(d)<m_(e) zeros.

Otherwise, if a is not the identity, then since for all u with v_(σP) _(i) (u)≧0 one has u(σP_(i))=σ⁻¹(u)(P_(i)), because for all τεAut(F/F_(q)) and all u with v_(P) _(i) (u)≧0, τ(u)(τ(P_(i)))=u(P_(i)); one obtains that for all i, x ^([r(d)])(σP _(i))−x ^([r(d)])(P _(i))=(σ⁻¹(x ^([r(d)]))−x ^([r(d)]))(P _(i))=z(P _(i)) for some zεL(m _(e) Q)\L(m _(d) Q) by the definition of x^([r(d)]) and e=e(d). Also,

${{\sum\limits_{j = 1}^{d}{s_{j}^{\prime}{b_{j}\left( {\sigma\; P_{i}} \right)}}} - {\sum\limits_{j = 1}^{d}{s_{j}{b_{j}\left( P_{i} \right)}}} - \Delta} = {{\sum\limits_{j = 1}^{d}{\left( {{s_{j}^{\prime}{\sigma^{- 1}\left( b_{j} \right)}} - {s_{j}b_{j}} - \Delta} \right)\left( P_{i} \right)}} = {w\left( P_{i} \right)}}$      for  some  w ∈ L(m_(d)Q), possibly  0. Note that for all τεAut_(D,Q), all u εF and all mεN* (where N* is the set of positive integers), uεL(mQ)

τuεL(mQ)). Since m_(e)>m_(d), it follows from the strict triangle inequality that for all i, the left-hand side of EQ. (2) is of the form u(P_(i)) for some uεL(m_(e)Q)\L(m_(d)Q) that does not depend on i. Since the number of places P_(i) such that u(P_(i))=0 is not greater than m_(e), the proof is complete. ▪

Next, drop the restriction that the manipulations on the i part may only come from automorphisms of the function field. This will be done in detail for the Hermitian case in the following section.

In general, one can move from pre-AMD codes to AMD codes by adding protection on the index i. In one option according to an embodiment of the disclosure, Φ={id}, and so the protection should detect with high probability any constant additive error on the (typically binary) vector representing i. In another option according to an embodiment of the disclosure, Φ

{id}, and the protection is allowed to miss those additive errors that correspond to automorphisms from Φ. This option is used in the Hermitian case described below. In the first option according to an embodiment of the disclosure, Φ={id} and there are no restriction on x^([r(d)]), and one may choose x^([r(d)])=0, resulting in f_(s)=Σ_(j=1) ^(d)s_(j)b_(j). To replace and enhance the lost protection of the index part against the manipulations of type (3), embodiments of the disclosure may include an explicit protection on the index-field, in the form of a weak AMD code. The miss probability will then be at most max {δ, m_(d)/n≦(d+g)/n}, where δ is the probability of missing an error on i. Here, i is first checked, and if the check passes, f_(s)(P_(i)) is checked. If the i-check fails, an error may be declared. If an adversary injects an error on i, then this error itself may already be detected with probability δ, regardless of the other errors. So, the i-check will be transparent if δ≦(d+g)/n. Because g/n is at least about 1/√q, it is enough to assure that δ is not above about 1/√q. In general, this can be achieved by using a perfect non-linear function with codomain F_(√q). So, for a fixed q, even if n grows to infinity using an optimal tower of function fields, the redundancy required for protecting i does not grow. Note also that if q is a square and the number of places of degree 1 is q^(r) for some integer r, then there is a very simple way to construct a perfect non-linear function

$\left. {F_{q}^{r} \cong F_{\sqrt{q}}^{2\; r}}\rightarrow{F_{\sqrt{q}}\text{:}\mspace{14mu}{take}\mspace{14mu}\left( {x_{1},\ldots\mspace{14mu},x_{2r}} \right)}\mapsto{{x_{1}x_{2}} + {x_{3}x_{4}} + \ldots + {x_{{2r} - 1}{x_{2r}.}}} \right.$

The construction of the codes according to embodiments of the current disclosure can also be described in terms of error-correcting codes. Let C⊂F_(q) ^(n) be a code with |C|=q^(k) for some k≦n, and let c:F_(q) ^(k)→C be a bijection (an encoding function). A permutation σεS_(n), where S_(n) is the symmetric group on n letters, may be called a quasi-automorphism of C if for all uεC there exists u′εC and a constant vector d=(Δ, . . . , Δ)εF_(q) ^(n) such that σu=u′+d, where σu:=(u_(σ(1)), . . . , u_(σ(n))).

Suppose that the set of indices I:={1, . . . , n} of C is embedded in some abelian group A via an injective function t:I→A (it is not required that the image of I is a subgroup of A), so that one may think of the indices as elements of A. For simplicity, consider I as a subset of A, without explicit reference to the injection t.

Given a message sεF_(q) ^(k), an index iεI may be chosen at random, and the encoded message may be defined to be the triple (s, i, [c(s)]_(i)), where for a vector v, [v]_(i) represents the i-th coordinate of v. Decoding works as follows: given a triple (s′, a, y)εF_(q) ^(k)×A×F_(q), one first checks whether αεI (this check is only necessary if I is a proper subset of A), and then, if this check succeeds, one checks whether y=[c(s′)]_(α). The message is declared valid if and only if the two tests are successful.

The need to effectively cope with injected errors of the form (s, i, [c(s)]_(i))

(s′,i+Δ₂, [c(s)]_(i)+Δ₃), where s′εF_(q) ^(k),Δ₂εA, Δ₃εF_(q), and s′, Δ₂, Δ₃ are allowed to depend on s, imposes some constraints on the possible codes C to be used:

-   -   1. For the case where Δ₂=0, for all distinct codewords c(s),         c(s′) and for all Δ₃εF_(q), the number of choices of i for which         [c(s′)]_(i)=[c(s)]_(i)+Δ₃ should be small. Put differently, for         all distinct codewords u, u′ of C, the Hamming distance between         u and any shift of u′ by a constant vector should be large. In         particular, the minimum Hamming distance of C should be large.         To meet this requirement C should not contain more than one         constant vector.     -   2. For the case where Δ₂≠0 and i+Δ₂εI, the map i         i−Δ₂ should not be a quasi-automorphism of C, for otherwise, for         all s, there exist s′εF_(q) ^(k) and Δ₃εF_(q) such that for all         i, [c(s)]_(1−Δ) ₂ =[c(s′)]_(i)−Δ₃, that is, [c(s′)]_(i+Δ) ₂         =[c(s)]_(i)+Δ₃.

The construction of the AMD codes according to embodiments of the current disclosure may also be described as follows. The algebraic-geometry codes C_(L) (P₁+ . . . +P_(n), m_(d) Q) (as defined, e.g., in Definition II.2.1, p. 42-43 of H. Stichtenoth, Algebraic Function Fields and Codes, Springer Universitext, 1993, the contents of which are herein incorporated by reference in their entirety) are useful because these codes have a large minimum Hamming distance. However, without some changes, these codes do not meet conditions 1 and 2 above. So, to meet condition 1, use a subcode spanned by non-constant functions: starting with the basis {1, b₁, . . . , b_(d)} of L(m_(d)Q), keep only the non-constant functions {b₁, . . . , b_(d)}. To meet condition 2, use an appropriate coset, C: the coset containing the evaluation of x^([r(d)]).

True AMD Codes from the Hermitian Function Field

For a square prime power q, a Hermitian function field H/F_(q) is defined as H=F_(q)(x, y) with x transcendental over F_(q) and with x and y satisfying y^(√q)+y=x^(√q+1). There i+y is only one Hermitian function field over F_(q), up to isomorphism. The Hermitian function field has q√q+1 places of degree one: the common pole Q of x and y, and for each (α, β) εF_(q)×F_(q) with β^(√q)+β=α^(√q+1), there is a unique place P_(α,β) of H of degree one such that x(P_(α,β))=α and y(P_(α,β))=β. Also, v_(Q)(x)=−√{square root over (q)}, v_(Q)(y)=−(√{square root over (q)}+1), and for all mεN, the set {x ^(i) y ^(j) |i≧0,0≦j≦√q−1,i√q+j(√{square root over (q)}+1)≦m} is a basis for L(mQ). Hence, the set (semigroup) {i√q+j(√q+1)|i≧0, 0≦j≦√q−1} of pole numbers of Q can be described as a set of non-negative integers r with └r/√{square root over (q)}┘≧r mod √q (write i√q+j(√q+1)=(i+j)√q+j)). So: 0, (√q,√q+1), (2√q, 2√q+1, 2√q+2), . . . . The genus of H/F_(q) is g=√q(√q−1)/2.

Define

:={(α,β)εF _(q) ×F _(g)|β^(√q)+β=α^(√q+1)} for a Hermitian curve over F_(q).

The automorphism group Aut_(ΣP) _(α,γ) _(,Q) is generated by automorphisms {τ_(ε)}_(εεF) _(q) _(*) and

defined by τ_(ε)(x)=εx and τ_(ε)(y)=ε^(√q+1) y for all εεF_(q)*, and σ_(δ,μ)(x)=x+δ and σ_(δ,μ)(y)=y+δ ^(√q) x+μ, for all (δ,μ)␣

.

For a construction according to an embodiments of the disclosure, take all places of degree one other than Q as the P_(i), so that n=q√q. Note that

can be thought as an index set for the places P_(α,β) of degree one, replacing the previous index set I.

In addition, take the subgroup Φ⊂Aut_(ΣP) _(α,β) _(,Q) to be the subgroup generated by all the σ_(δ,μ)(x) with δ=0. It can be verified that the composition of two permutations of the form σ_(0,μ) is again of the form σ_(0,μ), and therefore Φ includes all √q permutations x

x, y

y+μ with μ^(√q)+μ=0, so that Φ is just the Galois group of H/F_(q)(x). Note that in characteristic 2, μ^(√{square root over (q)})+μ=0 if and only if μεF_(√{square root over (q)}).

To continue, the following issues should be considered.

1. For all d, determine r(d) and e(d), and explicitly describe x^([r(d)]).

2. Move from pre-AMD codes to AMD codes, which provide protection against all additive manipulations on the index part i.

The next proposition and its corollary address the first point.

Proposition 2. Let jε{1, . . . , √q−1}, and suppose that p:=char(F_(q)) does not divide j. Then for all integers i≧0 and for all σεΦ, σ≠id, one has −v _(Q)(σ(x ^(i) y ^(j))−x ^(i) y ^(j))=−v _(Q)(x ^(i) y ^(j))−√q−1. Proof. For μ≠0 with μ^(√q)=0, the action of a general automorphism σ_(0,μ)εΦ, σ_(0,μ)≠id, on x^(i)y^(j) is described by

$\begin{matrix} {{\sigma_{0,\mu}\left( {x^{i}y^{j}} \right)} = {x^{i}\left( {y + \mu} \right)}^{j}} \\ {= {x^{u}{\sum\limits_{a = 0}^{j}{\begin{pmatrix} j \\ a \end{pmatrix}y^{a}\mu^{j - a}}}}} \\ {= {{x^{i}\left( {y^{j} + {j\;\mu\; y^{j - 1}} + {{lower}\mspace{14mu}{order}\mspace{14mu}{terms}}} \right)}.}} \end{matrix}$ Subtracting x^(i)y^(j), one gets jμx^(i)y^(k−1)+lower order terms. Since j, μ≠0 by assumption, the proof is complete by the strict triangle inequality. ▪ Corollary 3. Let d

N*, and write m_(d)=i*√q+j*(√q+1) for i*≧0 and for 0≦j*≦√q−1. Then,

1. If p

j*, define i(d):=i*+2 and j(d):=j*, so that −v_(Q)(x^(i(d))y^(i(d)))=m_(d)+2√q. Then, by Proposition 2, for all σεΦ, σ≠id, one has −v _(Q)(σ(x ^(i(d)) y ^(i(d)))−x ^(i(d)) y ^(j(d)))=m _(d)+2√q−√q−1=m _(d) +√q−1. By definition, the last number is some pole number m_(e′(d)), with d+1≦e′(d)≦d+√q−1. Then the results of Theorem 1 will hold if x^([r(d)]) is replaced by x^(i(d))y^(j(d)) and e(d) is replaced by e′(d).

2. If p|j*, so that j*≠√q−1, take i(d):=i*+1 and j(d)=j*+1, so that p

j(d). It then follows from Proposition 2 that for all σεΦ, σ≠=id, one has −v _(Q)(σ(x ^(i(d)) y ^(j(d)))−x ^(i(d)) y ^(j(d)))=m _(d)2√q+1−√q−1=m _(d) +√q. Again, the last number is some pole number m_(e′)(d), now with d+1≦e′(d)≦d+√q, and the results of Theorem 1 hold if x^([r(d)]) is replaced by x^(i(d)))y^(j(d)) and e(d) is replaced by e′(d).

So, in any case, the bound on the miss probability in Theorem 1 holds if m_(e) is replaced by m_(d)+√q or e(d) by d+√q.

The second issue concerns modifying the pre-AMD codes of the previous section to become true AMD codes. According to an embodiment of the disclosure, this issue can be handled in the following way. Given the information sεF_(q) ^(d), draw some (α,β)ε

and map s to (s, (α,β),f_(s)(P_(α,β))). The resulting code may be known as C_(d) ^(H).

At a first glance, a Hermitian encoding procedure according to an embodiment of the disclosure looks like an encoding according to an embodiment of the disclosure from the previous section, but there is a subtle difference: Instead of using a minimum required log(|

|)=log(q√q) bits for storing the index from

, a full pair (α, β) is used, requiring log(q²) bits. This extra redundancy moves from a pre-AMD code to an AMD code according to an embodiment of the disclosure.

According to an embodiment of the invention, the decoding can work as follows: For a vector r:=({tilde over (s)}({tilde over (α)},{tilde over (β)}),γ)εF_(q) ^(d)×F_(q) ²×F_(q) to be checked, the following two steps may be performed:

Curve Test Step: Check whether ({tilde over (α)}, {tilde over (β)})ε

, that is, check whether β^(√q)+{tilde over (β)}={tilde over (α)}^(√{square root over (q)}+1). If ({tilde over (α)}, {tilde over (β)})∉

, declare that the vector r is illegal, meaning an adversary modified the original stored value. Otherwise, continue to the following step.

Error Detection Step: Check whether f_({tilde over (s)})(P_({tilde over (α)},{tilde over (β)}))=γ, that is, check whether substituting ({tilde over (α)},{tilde over (β)}) in x^(i(d))y^(j(d))+Σ_(k){tilde over (s)}_(k)b_(k) gives γ, where the b_(k) are of the form x^(i) ^(k) y^(j) ^(k) for appropriately chosen pairs (i_(k), j_(k)), to be described below. If not, declare that r is illegal. Otherwise, declare that r is legal, that is, that an adversary did not modify the original stored value.

Before proceeding, the action of Aut_(ΣP) _(α,β) _(,Q) on the places {P_(α,β)} will be described. There exists a matrix MεGL₂(F_(q)) and a vector bεF_(q) ² such that

$\begin{matrix} {\begin{pmatrix} {\sigma(x)} \\ {\sigma(y)} \end{pmatrix} = {{M\begin{pmatrix} x \\ y \end{pmatrix}} + {b.}}} & (3) \end{matrix}$ It is desired to find a ({tilde over (α)},{tilde over (β)})ε

such that σ⁻¹P_(α,β)=P_({tilde over (α)},{tilde over (β)}). Such {tilde over (α)}, {tilde over (β)} exist by the definition of Aut_(ΣP) _(α,β) _(,Q). Recalling the relation τ(z)(τP)=z(P) for z with v_(P)(z)≧0, where P is a place of degree 1, and reducing both sides of EQ. (3) modulo P_(α,β), one gets

$\begin{matrix} {\begin{pmatrix} {{\sigma(x)}\left( {\sigma\left( {\sigma^{- 1}P_{\alpha,\beta}} \right)} \right)} \\ {{\sigma(y)}\left( {\sigma\left( {\sigma^{- 1}P_{\alpha,\beta}} \right)} \right)} \end{pmatrix} = {\begin{pmatrix} {x\left( {\sigma^{- 1}P_{\alpha,\beta}} \right)} \\ {y\left( {\sigma^{- 1}P_{\alpha,\beta}} \right)} \end{pmatrix} = {\begin{pmatrix} \overset{\sim}{\alpha} \\ \overset{\sim}{\beta} \end{pmatrix} = {{M\begin{pmatrix} \alpha \\ \beta \end{pmatrix}} + {b.}}}}} & (4) \end{matrix}$ This means that the affine functions that take (x, y) to (σ(x), σ(y)) may also be used to take (α,β) to ({tilde over (α)},{tilde over (β)}): {tilde over (α)}=εα+δ,{tilde over (β)}=ε^(√{square root over (q)}+1)β+ε^(√{square root over (q)})α+μ.

As described above, the encoding of C_(d) ^(H) appends to an arbitrary message sεF_(q) ^(d) a random redundancy part in F_(q) ²×F_(q).

Theorem 4: For any replacement of the message part and for any additive error on the redundancy part of the output of the encoder of C_(d) ^(H), the probability δ of miss-detecting the error is bounded by

$\delta \leq {\max{\left\{ {\frac{1}{\sqrt{q}},{\frac{d}{q\sqrt{q}} + \frac{1}{2\sqrt{q}} + \frac{1}{2q}}} \right\}.}}$ In particular, the code C_(d) ^(H) is a (q^(d), q^(d+3), δ)-AMD code over F_(q), with

$\delta \leq {\max{\left\{ {\frac{1}{\sqrt{q}},{\frac{d}{q\sqrt{q}} + \frac{1}{2\sqrt{q}} + \frac{1}{2q}}} \right\}.}}$ In particular, if d≧g=q/2−√q/2, then

$\delta \leq {\frac{d}{q\sqrt{q}} + \frac{1}{2\sqrt{q}} + {\frac{1}{2q}.}}$ Proof: The encoded word is of the form (s, (α,β), f_(s)(P_(α,β))), where sεF_(q) ^(d) is the information, and (α,β) is drawn uniformly from

. Suppose an adversary transforms this encoded word into the corrupted word r:=(s′, (α+Δ₁, β+Δ₂),f_(s)(P_(α,β))+Δ₃) for some s′εF_(q), s′≠s, and some Δ₁, Δ₂, Δ₃εF_(q). Two cases may be distinguished.

Case 1: Δ₁≠0. In this case, the probability that r passes the Curve Test Step is exactly 1/√q. To show this, show that for all Δ₁, Δ₂εF_(q) with Δ₁≠0,

$\begin{matrix} {{\left\{ {{\left( {\alpha,\beta} \right) \in}❘{\left( {{\alpha + \Delta_{1}},{\beta + \Delta_{2}}} \right) \in}} \right\} } = {q = {\frac{n}{\sqrt{q}}.}}} & (5) \end{matrix}$ For all (α,β)ε

, one has

$\begin{matrix} {\mspace{79mu}{{\left( {\beta + \Delta_{2}} \right)^{\sqrt{}q} + \left( {\beta + \Delta_{2}} \right)} = \left( {\alpha + \Delta_{1}} \right)^{{\sqrt{}q} + 1}}} & (6) \\ {\left. \Leftrightarrow{\beta^{\sqrt{}q} + \Delta_{2}^{\sqrt{}q} + \beta + \Delta_{2}} \right. = {{\left( {\alpha^{\sqrt{}q} + \Delta_{1}^{\sqrt{}q}} \right)\left( {\alpha + \Delta_{1}} \right)} = {\left. {\alpha^{{\sqrt{}q} + 1} + {\alpha^{\sqrt{}q}\Delta_{1}} + {\Delta_{1}^{\sqrt{}q}\alpha} + \Delta_{1}^{{\sqrt{}q} + 1}}\mspace{79mu}\Leftrightarrow{\Delta_{2}^{\sqrt{}q} + \Delta_{2}} \right. = {{\alpha^{\sqrt{}q}\Delta_{1}} + {\Delta_{1}^{\sqrt{}q}\alpha} + {\Delta_{1}^{{\sqrt{}q} + 1}.}}}}} & (7) \end{matrix}$ Now, the last equation can be written as Tr(Δ₁ ^(√q)α)=Tr(Δ₂)−N(Δ₁),   (8) where

${Tr} = {{Tr}_{F_{q}/F_{\sqrt{q}}} = \left( a\mapsto{a^{\sqrt{}q} + a} \right)}$ is the trace map and

$N = {N_{F_{q}\text{/}F_{\sqrt{q}}} = \left( a\mapsto a^{I + {\sqrt{}q}} \right)}$ is the norm map. Since the trace is an onto F_(√q)-linear map F_(q)→F_(√q), there are exactly √q choices for Δ₁ ^(√q) α for which EQ. (8) is satisfied. Since Δ₁≠0, this means that there are √q values of a satisfying EQ. (8). For each of these choices of α, all √q choices of βεF_(q) for which Tr(β)=N(α) can be used in a pair (α, β) satisfying EQ. (6), as there is no constraint on β in EQ. (7).

Thus, there are q pairs (α,β)ε

that are shifted by (Δ₁, Δ₂) to another point of

, as desired.

Case 2: Δ₁=0. Substituting Δ₁=0 in EQ. (7), one obtains ∀(α,β)ε

:(α+0,β+Δ₂)ε

(0,Δ₂)ε

. This means that if (0, Δ₂)∉

, then the miss probability is 0, since the Curve Test Step will not pass for all choices of (α,β)ε

. Otherwise, if (0, Δ₂)ε

, then an adversary is in fact applying an automorphism from Φ on the places of degree 1, and therefore the bound δ≦(e(d)+g/n) from Theorem 1 may be used. Substituting e(d)≦d+√q (Corollary 3) completes the proof. ▪

EXAMPLE

Suppose one would like to protect u=2²⁰ information bits with a miss probability of no more than 2^(−κ) for κ=10. That is, the miss probability should not exceed about 10⁻³. The code of Cramer et al. requires working in F₂ ₂₆ and using 52 bits of redundancy on top of the 2²⁰ information bits.

The parameters of a code C_(d) ^(H) according to an embodiment of the disclosure can now be found. Writing q=2^(m) for m even, the requirements are:

1. Information size: and md≧u=2²⁰

2. Probability of miss:

-   -   (a) ½^(m/2)≦2^(−κ)=2⁻¹⁰     -   (b) d/2^(3m/2)+½^(m/2+1)+½^(m+1)≦2^(−κ)=2⁻¹⁰         An exemplary, non-limiting value for a smallest possible m that         satisfies condition 2(a) is m=20. Now condition 2(b) becomes         d/2³⁰+½¹¹+½²¹≦2⁻¹⁰, that is, d/2³⁰≦2⁻¹¹−2⁻²¹. Combining with         condition 1, one gets

$\begin{matrix} {{\frac{4}{5}2^{16}} = {\frac{2^{20}}{20} \leq d \leq {2^{19} - {2^{9}.}}}} & (9) \end{matrix}$

The minimum d satisfying EQ. (9) is d=┌2²⁰/20┐=52429. So, for the choice of m=2²⁰ and d=52429, all conditions are satisfied, and so one may get a code with the required parameters using 3 m=60 bits of redundancy while working in the field F₂ ₂₀ .

FIG. 5 is a table of comparisons of the AMD codes of Cramer, et al., and of AMD Hermitian codes according to an embodiment of the disclosure. The triples in the last two columns are of the form (required finite field, number of redundancy bits, value of d).

Hermitian AMD Code Operations

A detailed description of the operations for working with Hermitian AMD codes follows below. For simplicity, the case of characteristic 2 will be considered, as the other cases are similar as will be apparent to those of skill in the art. First, a high level description of the offline stages is provided.

Offline stage 1: The size q=2^(m) for even m of the finite field and the dimension d are calculated based on the number uεN* of bits to be protected and the maximum allowed miss probability, 2^(−κ), for κεN. The q and d calculated in this stage satisfy log(q^(d))≧u, and so one may think of information vectors, originally vectors in F₂ ^(u), as vectors in F_(q) ^(d).

Offline stage 2: Recall that encoding includes drawing a random point from the Hermitian curve

over F_(q), defined by

={(α,β)εF _(q) ×F _(q)|β^(√q)+β=α^(√q+1)}, where m is even, and therefore √q=2^(m/2) is an integer. This curve has q√q points, and it is not possible to store the whole curve. In the second offline stage, one stores the appropriate constants needed for efficiently producing the i-th curve point given a random index iε{0, . . . q√q−1}.

Offline stage 3: In later online stages, given the information vector sεF_(q) ^(d) and a point (α, β)ε

, a sum is calculated of the form f _(s)(α,β)=α^(i) ^(d=1) β^(j) ^(d+1) +Σ_(k=1) ^(d) s _(k)α^(i) ^(k) β^(j) ^(k)    (10) for an appropriate set I={(i_(k),j_(k))}_(k=1) ^(d+1) of d+1 pairs of integers. The entire set of pairs I may be specified by a relatively small set of integers, and this small set may be calculated and stored in the third offline stage. Detailed Description of Encoding and Decoding Offline Stage 1

As discussed in the example above, the parameters m and d should satisfy the following constraints, where u is the number of information bits to be protected, and the maximum allowed miss probability is 2^(−κ):

1. Information size: md≧u, that is, d≧u/m.

2. Probability of miss:

-   -   (a) ½^(m/2)≦2^(−κ), that is, m≧2κ.     -   (b) d/2^(3m/2)+½^(m/2+1)+½^(m+1)≦2^(−κ), that is,         d≦2^(3m/2−κ)−2^(m−1)−2^(m/2−1)         The above conditions can be summarized as follows:         m≧2κ and u/m≦d≦2^(3m/2−κ)−2^(m−1)−2^(m/2−1)   (11)         Write L(m):=u/m and U(m):=2^(3m/2−κ)−2^(m−1)−2^(m/2−1).         According to an embodiment of the disclosure, to work in a         smallest possible finite field, and for this finite field, to         work with a smallest possible d, one can find m and d as         follows:

1. Set m:=2κ.

2. If ┌L(m)▴≦U(m), set d:=┌L(m)┐ and output m and d. Otherwise, increase m by 2, since m is even, and repeat this step.

Note that an algorithm according to an embodiment of the disclosure will halt after a finite number of steps, because U(m) increases exponentially with m and L(m) decreases with m.

Offline Stage 2

In this stage, enough information is stored to support an efficient online mapping of a pair (a, b) of integers aε{0, . . . , q−1} and bε{0, . . . √q−1} to a point of

. More precisely, one would like to store enough constants to support an efficient online computation of a bijection {0, . . . , q−1}×{0, . . . √q−1}→

.

Recall that

includes all pairs (α, β)εF_(q)×F_(q) that satisfy β^(√q)+β=α^(√q+1). Now, because β

β^(√q)+β is a surjective (onto) F_(√q)-linear map F_(q)→F_(√q), which is the trace map, and because α^(√q+1)εF_(√q) for all αεF_(q), for each fixed αεF_(q) there are exactly √q choices of βεF_(q) such that (α, β)ε

. Moreover, if a single β*εF_(q) is found such that (α, β*)ε

for a fixed α, then the set of all β fitting α is β*+F_(√q), because the kernel of the above trace map in characteristic 2 is F_(√q).

Now, it can be verified by substitution that if zεF_(q) is an element of unit trace, that is, z^(√q)+z=1, then a possible choice for β* is β*=β*(α)=α^(√q+1)z. So, in a current offline stage according to an embodiment of the disclosure, the following constants will be stored:

-   -   Some fixed primitive element γ₁ of F_(q) and some fixed element         γ₂εF_(q) which is a primitive element of F_(√q) ⊂F_(q). Note         that given γ₁, one may take γ₂:=γ₁ ^(√q+1).     -   Some fixed element zεF_(q) of unit trace. This may be found by         scanning γ₁, γ₁ ², . . . , until an element of unit trace is         found.

For future reference, a bijection h: {0, . . . q−1}×{0, . . . , √q−1}→

according to an embodiment of the disclosure may be described as follows:

First, for a ε{0, . . . , q−1}, define

$u_{a}:=\left\{ {\begin{matrix} 0 & {{{{if}\mspace{14mu} a} = 0},} \\ \gamma_{1}^{a - 1} & {otherwise} \end{matrix},} \right.$ so that F_(q)={u₀, . . . , u_(q−1)}. Similarly, for bε{0, . . . , √q−1}, define

$V_{b}:=\left\{ {\begin{matrix} 0 & {{{{if}\mspace{14mu} b} = 0},} \\ \gamma_{2}^{b - 1} & {otherwise} \end{matrix},} \right.$ so that F_(√q)={v₀, . . . , v_(√q−1)}. Now a bijection h according to an embodiment of the disclosure is given by h(a,b)=(u _(a) ,u _(a) ^(√q+1) z+v _(b)),   (12) where β*(u_(a))=u_(a) ^(√q+1)z. Offline Stage 3

In this stage enough information is stored to reproduce the exponentials for calculating EQ. (10). For this, one first finds the (d+1)-th pole number, m_(d), of the place Q defined above. Here, the set W of pole numbers, which is a Weierstrass semigroup of the place Q, is {i√q+j(√q+1)|i≧0, 0≦j≦√g−1}. Writing an integer of the form i√q+j(√q+1) as (i+j)√q+j, it may be seen that W is the set of integers k with └k/√{square root over (q)}┘≧k mod √q: 0,(√q,√q+1),(2√q,2√+1,2√q+2), . . . . Note that starting from (√q−1)√q, there are no gaps. So, m₀=0, m₁=√q, etc.

Recalling that genus g=(√q−1)√q/2, note that starting from 2g, there are no gaps, while in the range 0, . . . , 2g−1, there are exactly g gaps and g pole numbers. This follows from the general Weierstrass Gap Theorem, or, for the current Hermitian case, by noting that the number of pole numbers is 1+2+ . . . +(√q−1)=g.

This means that if d≧g, then the (d+1)-th pole number m_(d) is given by m_(d)=2g+(d−g)=d+g, because starting from m_(g)=2g, each number is a pole number. Writing d+g=a√q+j* for integer a≧0 (actually, a≧√q−1 in this case) and 0≦j*≦√q−1, then m_(d)=i*√q+j*(√q+1) for i*:=a−j*≧0.

Now, if dε{0, . . . , g−1}, one needs to find in which “chunk” m_(d) sits. For this, a largest positive integer l may be found such that 1+2+ . . . +l≦d+1, that is, such that

$\begin{matrix} {\frac{l \times \left( {l + 1} \right)}{2} \leq {d + 1.}} & (13) \end{matrix}$

Write l* for the maximal such l, which may be found by solving a quadratic equation. If l* satisfies EQ. (13) with equality, then m_(d)=(l*−1)√q+l*−1=i*√q+j*(√q+1) for i*=0 and j*=l*−1. Otherwise, setting j*:=d−l*(l*+1)/2ε{0, . . . , l*≦√q−2} and i*=l*−j*≧0, then m_(d)=i*√q+j*(√q+1).

The set of exponents I₁:={i_(k),j_(k))}_(k=1) ^(d) for the rightmost sum of EQ. (10) is the set of all pairs (i, j)εN×N corresponding to all pole numbers m₁, m₂, . . . , m_(d), where m₀ is excluded, that is, the set of all pairs (i, j)εN×N with j≦√q−1 such that some pole number m_(a) with 1≦a≦d can be written as i√q+j(√q+1). Thus, according to an embodiment of the disclosure, I ₁={(i,j)εN×N|i+j<i*+j* and j≦√{square root over (q)}−1}520 {(i,j)εN×N|i+j=i*+j* and j≦j*} Graphically, in the ij plane, I₁ comprises diagonal lines of slope −45 degrees with a constant sum i+j bounded from the left by the vertical line i=0, from above by the line j=√q−1, and from below by the line j=0. On the rightmost diagonal line that corresponds to i+j=i*+j*, typically only a subset of the points are included, defined by the upper limit j ≦j*, while all other lines are only restricted by the vertical line i=0 from the left and the horizontal lines j=0 and j=√q−1 from below and from above, respectively. According to an embodiment of the disclosure, for defining I₁, it is enough to store i* and j*, assuming that √q is known.

Until this point only the rightmost sum in EQ. (10) has been considered. It remains to consider the pair of exponents (i_(d+1), j_(d+1)) appearing in the right-hand side of EQ. (10). Note that this pair does not necessarily correspond to m_(d+1). Using Corollary 3, above, (i_(d+1), j_(d+1)) can be calculated as follows:

$\left( {i_{d + 1},j_{d + 1}} \right):=\left\{ \begin{matrix} \left( {{i^{*} + 2},j^{*}} \right) & {{{if}\mspace{14mu} 2} \nmid j^{*}} \\ \left( {{i^{*} + 1},{j^{*} + 1}} \right) & {{{if}\mspace{14mu} 2} \mid j^{*}} \end{matrix} \right.$

Note that in the second case, j* is strictly smaller than √q−1. The calculated pair (i_(d+1), j_(d+1)) may be stored.

Encoding (Online)

FIG. 6A is a flowchart of a method for encoding data using AMD Hermitian codes, according to an embodiment of the disclosure. Referring now to the figure, given an information vector sεF_(q) ^(d) received at step 50, the following steps may be performed:

Step 61: For drawing a random point P from

, draw two integers aε{0, . . . , q−1} and bε{0, . . . , √q−1}. Equivalently, draw a single integer from {0, . . . q√q−1} and perform the appropriate mod and floor operations.

Step 62: Use the stored information from Offline Stage 2 to find a corresponding point (α, β)ε

using EQ. (12).

Step 63: Calculate the sum f_(s)(α, β) from EQ. (10), using the information from Offline Stage 3 for producing the appropriate power pairs (i_(k), j_(k)).

Step 64: Output as the encoded word the triple (s, (α, β), f_(s)(α, β)).

Decoding (Check for Errors Online)

FIG. 6B is a flowchart of a method for decoding data using AMD Hermitian codes, according to an embodiment of the disclosure. Referring now to the figure, given a triple (s′, (α′, β′), γ)εF_(q) ^(d)×F_(q) ²×F_(q) received at step 65, perform the following two steps:

-   -   Step 66: (Curve Test Step) Check whether β′^(√q)+β′=α′^(√q+1).         If not, an error may be declared at step 58. Otherwise, proceed         to a next step.     -   Step 67: (Error Detection Step) Calculate the sum f_(s′)(α′,β′)         from EQ. (10), again, using the information from Offline Stage 3         for producing power pairs (i_(k), j_(k)). If f_(s′)(α′; β′)≠γ′,         an error may be declared at step 68. Otherwise, at step 69,         declare that no error was injected in s′.         External Protection Against Fault Injections

As an example, consider an AES encryption block that works per sectors of 2¹⁵ bits. The encryption block divides the sector internally into chunks of 128 bits and performs encryption, and the encrypted output is released sector-by-sector. In a side channel attack, an adversary injects errors during the encryption process and uses the faulty outputs to retrieve the secret key. Protecting internal AES blocks is relatively simple, except that fault can be injected between checks. For example, if check i checks the i-th round of AES, in which parity is calculated before the round and then checked after the round, then fault can be injected between the parity check of round i and the parity calculation of round i+1. On the other hand, error injection can be checked externally, in the sector level. If a fault is injected before the parity calculation, then the wrong data will be encrypted, but there will be no faulty states during encryption, so that the secret key cannot be retrieved. In such an application, it is reasonable to allow a rather modest miss probability of about 0.1-1% on the entire sector, especially since it is possible to disable encryption if a pre-defined number of faults, or a pre-defined fault rate, is detected.

One solution is to decrypt the encrypted sector and compare it to the input plaintext. The encrypted sector is revealed only if the plaintext=decrypt(encrypt(plaintext)). This probably has a very low miss probability, but requires storing the entire plaintext sector for comparison.

However, a solution with reduced storage is to use an embodiment of the disclosure to perform error detection with AMD codes. The redundancy bits of the Hermitian AMD code are calculated for the plaintext sector, and only the redundancy bits are stored, which is typically a couple of tens of bits. Then, encrypt, decrypt, and AMD-check the following vector: [decrypt(encrypt(plaintext)), redundancy bits].

System Implementations

It is to be understood that embodiments of the present disclosure can be implemented in various forms of hardware, software, firmware, special purpose processes, or a combination thereof. In one embodiment, the present disclosure can be implemented in hardware as an application-specific integrated circuit (ASIC), or as a field programmable gate array (FPGA). In another embodiment, the present disclosure can be implemented in software as an application program tangible embodied on a computer readable program storage device. The application program can be uploaded to, and executed by, a machine comprising any suitable architecture.

FIG. 7 is a block diagram of a system for the use of algebraic curves to reduce complexity and the required field size of AMD error detection codes with a block cipher code, according to an embodiment of the disclosure. Referring now to FIG. 7, a computer system 71 for implementing the present invention can comprise, inter alia, a central processing unit (CPU) 72, a memory 73 and an input/output (I/O) interface 74. The computer system 71 is generally coupled through the I/O interface 74 to a display 75 and various input devices 76 such as a mouse and a keyboard. The support circuits can include circuits such as cache, power supplies, clock circuits, and a communication bus. The memory 73 can include random access memory (RAM), read only memory (ROM), disk drive, tape drive, etc., or a combinations thereof. The present disclosure can be implemented as a routine 77 that is stored in memory 73 and executed by the CPU 72 to process the signal from the signal source 78. As such, the computer system 71 is a general purpose computer system that becomes a specific purpose computer system when executing the routine 77 of the present invention. Alternatively, as described above, embodiments of the present disclosure can be implemented as an ASIC or FPGA 77 that is in signal communication with the CPU 72 to process the signal from the signal source 78.

The computer system 71 also includes an operating system and micro instruction code. The various processes and functions described herein can either be part of the micro instruction code or part of the application program (or combination thereof) which is executed via the operating system. In addition, various other peripheral devices can be connected to the computer platform such as an additional data storage device and a printing device.

It is to be further understood that, because some of the constituent system components and method steps depicted in the accompanying figures can be implemented in software, the actual connections between the systems components (or the process steps) may differ depending upon the manner in which the present invention is programmed. Given the teachings of the present invention provided herein, one of ordinary skill in the related art will be able to contemplate these and similar implementations or configurations of the present invention.

While the present invention has been described in detail with reference to exemplary embodiments, those skilled in the art will appreciate that various modifications and substitutions can be made thereto without departing from the spirit and scope of the invention as set forth in the appended claims. 

What is claimed is:
 1. An application specific integrated circuit tangibly encoding a program of instructions executable by the integrated circuit to perform a method for protecting data from algebraic manipulation, the method comprising the steps of: receiving a data word s εF_(q) ^(d), at the application specific integrated circuit, from a communications channel to be protected, wherein q is a prime power and F_(q) ^(d) is a vector space over the finite field F_(q) including vectors (x₁, x₂, . . . , x_(d)) with x_(i) εF_(q) for all i ε{1, . . . , d}; the application specific integrated circuit fixing a basis {1, b₁, . . . , b_(d)} for a Riemann-Roch space L(m_(d)Q) as an F_(q)-vector space, wherein Q is a distinct place of degree 1 of an algebraic function field F/F _(q) of one variable with full constant field F_(q) and with genus g and m_(d) is a pole number of Q; the application specific integrated circuit executing instructions for drawing an index i from a set I :={1, . . . , n}; encoding, by the application specific integrated circuit, s as (s, i, f_(s)(P_(i))) εF_(q) ^(d) ×I_(n)×F_(q), wherein f_(s)(P_(i)) is defined as f_(s):=x^([r(d)])+Σ_(j=1) ^(d)s_(j)b_(j), wherein r(d):=min{j|∃x εL(m_(j)Q): ∀σεΦ, σ≠id: σ(x)−x εL(m_(j)Q)|L(m_(d)Q)}, is a subgroup of Aut_(D,Q)(F/F_(q)):={σεAut(F/F_(q))|σ(Q)=Q and σ(D)=D}, Aut(F/F_(q)) is a group of automorphisms of F over F_(q), D:=P₁+ . . . +P_(n) wherein Q, P₁, . . . , P_(n) are pairwise distinct places of F/F _(q) of degree 1, and X ^([r(d)]) is an element of L(m_(r)(_(d))Q) for which σ(x^([r(d)]))−x^([r(d)])εL(m_(e)Q)\L(m_(d)Q) for all αεΦ, σ≠id, and for a minimum possible e ≧d+1, protecting the index i against fault injection attack with a weak algebraic manipulation detection (AMD) code, wherein a received triple r:=({tilde over (s)}, ĩ, {tilde over (v)}) εF_(q) ^(d)×I_(n)×F_(q) is valid iff {tilde over (v)}=f_({tilde over (s)})(P_(ĩ)); and declaring an error if the received triple r is invalid, wherein an error is detected in ({tilde over (s)}, ĩ, {tilde over (v)}) by checking the index ĩ, and if the ĩ-check passes, checking whether {tilde over (v)}=f_({tilde over (s)})(P_(ĩ)).
 2. The method of claim 1, wherein the weak AMD code is constructed from a perfect nonlinear function.
 3. The method of claim 2, wherein q is a square and the number of places of degree 1 is q^(r) for some integer r, the perfect non-linear function $\left. {F_{q}^{r} \cong F_{\sqrt{q}}^{2\; r}}\rightarrow F_{\sqrt{q}} \right.$ is constructed as (x ₁, . . . ,x_(2r))

x ₁ x ₂+x₃ x ₄ +. . . +x _(2r-1) x _(2r).
 4. The method of claim 1, further comprising encoding the data word s using a block cipher.
 5. The method of claim 4, wherein the block cipher is selected from a group comprising AES, DES, Triple DES, IDEA, RC5, and Blowfish.
 6. An application specific integrated circuit tangibly encoding a program of instructions executable by the integrated circuit to perform a method for protecting encrypted data from algebraic manipulation, the method comprising the steps of: receiving a data word sεK^(d), at the application specific integrated circuit, from a communications channel to be protected, wherein K is a finite field of q elements for a square prime power q and a predetermined d; the application specific integrated circuit randomly selecting two integers a ε{0, . . . , q−1} and b ε{0, . . . , √q−1}; the application specific integrated circuit executing instructions for finding a point (α, β) on a Hermitian curve over a field F_(q) that corresponds to the randomly selected integers (a, b) from a mapping (a, b)

(α, β)=u_(a), u_(a) ^(√q+1)z+v_(b)), wherein $u_{a}:=\left\{ {\begin{matrix} 0 & {{{{if}\mspace{14mu} a} = 0},} \\ \gamma_{1}^{a - 1} & {otherwise} \end{matrix},{V_{b}:=\left\{ {\begin{matrix} 0 & {{{{if}\mspace{14mu} b} = 0},} \\ \gamma_{2}^{b - 1} & {otherwise} \end{matrix},} \right.}} \right.$  and z is a pre-selected element of the field F_(q) of unit trace, and wherein γ₁ is a pre-selected fixed primitive element of the field F_(q) and γ₂ is a pre-determined fixed element of the field F_(q) which is a primitive element of a field F_(√q) ⊂ F_(q); and calculating, by the application specific integrated circuit, a sum f _(s)(α,β)=α^(i) ^(d+1) β^(j) ^(d+1) +Σ_(k=1) ^(d) s _(k)α^(i) ^(k) β^(j) ^(k)  for an appropriate set of d+1 integers pairs I={(i_(k),j_(k))}_(k=1) ^(d+1), outputting, by the application specific integrated circuit, a triple (s, (α, β),f_(s)(α, β)) as an encoded word, wherein said encoded word is protected from side-channel attacks during transmission.
 7. The method of claim 6, wherein said Hermitian curve

over F_(q), is defined by point pairs (α, β) wherein

={(α, β) εF_(q)×F_(q)|β^(√q)+β=α^(√q+1)}, wherein √q=2^(m/2) is an integer for an even m.
 8. The method of claim 6, further comprising calculating q and the dimension d based on a number uεN* of information bits to be protected and a maximum allowed miss probability, 2^(−κ), for κ ε N, wherein q and d satisfy log(q^(d))≧u.
 9. The method of claim 8, wherein calculating q and the dimension d comprises: initializing m=2κ; and if ${\left\lceil \frac{u}{m} \right\rceil \leq {2^{{3{m/2}} - \kappa} - 2^{m - 1} - 2^{{m/2} - 1}}},$  setting ${d = \left\lceil \frac{u}{m} \right\rceil},$  wherein q=2^(m).
 10. The method of claim 9, wherein if ${\left\lceil \frac{u}{m} \right\rceil > {2^{{3{m/2}} - \kappa} - 2^{m - 1} - 2^{{m/2} - 1}}},$ the method further comprises incrementing m by 2 and repeating the step of setting ${d = \left\lceil \frac{u}{m} \right\rceil},$ if $\left\lceil \frac{u}{m} \right\rceil \leq {2^{{3{m/2}} - \kappa} - 2^{m - 1} - {2^{{m/2} - 1}.}}$
 11. The method of claim 6, wherein γ₂=γ₁ ^(√q+1), and z is determined by scanning γ₁,γ₁ ², . . . , until an element of unit trace is found, wherein an element of unit trace z satisfies Z^(√q)+z=1.
 12. The method of claim 6, further comprising finding a (d+1)-th pole number, m_(d), of a place Q of F/F_(q) of degree 1, wherein a set of pole numbers of place Q is {i√q+j(√q+1)|i≧0, 0≦j≦√q−1}, wherein exponents I ₁={(i _(k) ,j _(k))}_(k=1) ^(d)={(i,j) εN×N|i+j<i*+j* and j≦√{square root over (q)}−1}∪{(i,j) εN×N|i+j=i*+j* and j≦j*}  are a pre-calculated set of all pairs (i,j) εN×N that correspond to pole numbers m₁, m₂, . . . , m_(d), i* εN, j* ε{0, . . . √{square root over (q)}−1} are unique integers such that m_(d)=i*√{square root over (q)}+j*(√{square root over (q)}+1), and exponents (i_(d+1), j_(d+1)) are pre-calculated from $\left( {i_{d + 1},j_{d + 1}} \right):=\left\{ {\begin{matrix} \left( {{i^{*} + 2},j^{*}} \right) & {{{if}\mspace{14mu} 2} \nmid j^{*}} \\ \left( {{i^{*} + 1},{j^{*} + 1}} \right) & {{{if}\mspace{14mu} 2} \mid j^{*}} \end{matrix}.} \right.$
 13. The method of claim 12, wherein, if d≧g=(√q−1)√q/2, then the (d+1)-th pole number m_(d) is m_(d)=2g+(d−g)=d+g, and if d□{0, . . . , g−1}, the method further comprises finding a largest positive integer l such that ${\frac{l \times \left( {l + 1} \right)}{2} \leq {d + 1}},$ wherein if ${\frac{l \times \left( {l + 1} \right)}{2} = {d + 1}},$  then m_(d)=i*√q+j*(√q+1) for i*=0 and j*=l−1, otherwise  m_(d)=i*√q+j*(√q+1) for j*=d−l(l+1)/2 ε{0, . . . , l≦√q−2} and i*l−j*≧0.
 14. The method of claim 6, further comprising encoding said data word s using a block cipher.
 15. The method of claim 14, wherein the block cipher is selected from a group comprising AES, DES, Triple DES, IDEA, RC5, and Blowfish.
 16. An application specific integrated circuit tangibly encoding a program of instructions executable by the integrated circuit to perform a method for protecting encrypted data from algebraic manipulations, the method comprising the steps of: receiving a triple (s, (α, β), γ), at the application specific integrated circuit, from a communications channel that is an element of F_(q) ^(d)×F_(q) ²×F_(q), wherein s is an encoded data word, and q and d are predetermined constants; the application specific integrated circuit decoding the encoded data word using algebraic manipulation detection (AMD) Hermitian codes by determining whether β^(√q)+β=α^(√q+1); and if β^(√q)+β=α^(√q+1), further determining, by the application specific integrated circuit, whether a sum f_(s)(α, β)=γ, wherein f _(s)(α,β)=α^(i) ^(d+1) β^(j) ^(d+1) +Σ_(k=1) ^(d) s _(k)α^(i) ^(k) β^(j) ^(k)  for an appropriate set of d+1 integers pairs I={(i_(k),j_(k))}_(k=1) ^(d+1), wherein if either β^(√q)+β≠α^(√q+1) or f_(s)(α,β)≠γ, declaring an error, otherwise declaring that no error was injected into s.
 17. The method of claim 16, further comprising calculating q and the dimension d based on a number uεN* of information bits being protected and a maximum allowed miss probability, 2^(−κ), for κεN, wherein q and d satisfy log(q^(d)) ≧u. 